Threat actors have struck the cybersecurity world with a major blow by exploiting the well-known Polyfill.io service in a large-scale supply chain attack, leaving the industry in a state of shock and concern.

The revelation of a massive supply chain campaign within Polyfill.io, a widely used JavaScript library service, was brought to light by researchers at Dutch cybersecurity firm Sansec in a recent blog post. The researchers uncovered the injection of malicious Polyfill payloads into over 100,000 websites, with the suspicious activity commencing in February after Funnull, a Chinese company, acquired the Polyfill.io domain and GitHub account.

With the potential to inject malware into mobile devices through any website utilizing the cdn.polyfill.io domain, the impacts of this supply chain attack are far-reaching. Sansec highlighted that despite the open-source library’s intended use to support older browsers, the attack scope is vast, as more than 100,000 sites, including notable ones like Intuit and the World Economic Forum, rely on Polyfill.

The tactic of manipulating GitHub features and accounts for supply chain attacks has been on the rise, a trend noted by cybersecurity experts throughout the year. Sansec’s blog emphasized the dynamic generation of Polyfill code based on HTTP headers, posing multiple possible attack vectors for threat actors.

In one alarming incident investigated by researchers, malicious use of Polyfill led to the redirection of mobile users to a sports betting site through a fake Google analytics domain. The malicious code was designed with reverse engineering protection and specific activation criteria, avoiding detection by admin users and delaying execution when a web analytics service was present.

Furthermore, Sansec pointed out that the original Polyfill author advised against its use, stating that modern browsers no longer require it. However, the implications of the recent supply chain attack demonstrate the serious risks posed by such exploitation of widely-used services like Polyfill.

Following the publication of the Polyfill.io research, Sansec encountered Distributed Denial of Service (DDoS) attacks and reported that Namecheap had suspended the domain, temporarily eliminating the risk. Prior registration of backup domains by Funnull with Namecheap and other registrars had raised concerns among security researchers regarding the potential for further exploits.

In response to the threat posed by Polyfill.io, Cloudflare took decisive action by removing the domain from its content delivery network. The service provider urged users to cease reliance on the compromised service and advised website operators to eliminate Polyfill entirely to mitigate risks. Cloudflare also implemented an automatic JavaScript URL rewriting service to redirect links to Polyfill.io to a safer mirror hosted by cdnjs.

With concerns about supply chain attacks materializing as Polyfill.io users were redirected to malicious sites, Cloudflare’s proactive approach serves as a critical safeguard against widespread web security threats. Estimates reveal that Polyfill.io is utilized on nearly 4% of all websites, underscoring the urgency of addressing vulnerabilities in such popular services.

Additionally, other service providers like Fastly had established mirrors of Polyfill.io prior to the acquisition by Funnull, echoing similar concerns about potential supply chain risks. Despite efforts to secure the internet ecosystem against such threats, the rapid evolution of cyber threats necessitates continuous vigilance and response mechanisms to safeguard critical online services and users.

As the industry grapples with the aftermath of this supply chain attack, the incident serves as a sobering reminder of the persistent and evolving nature of cybersecurity threats in today’s digital landscape. Vigilance, proactive measures, and collaboration among stakeholders remain crucial in fortifying defenses against malicious actors seeking to exploit vulnerabilities in widely-used services like Polyfill.io.

Lidhja e burimit